-- **SDOC**********************************************************************
-- ****************************************************************************
--
--             Copyright(c) 2005 Mediatrix Telecom, Inc.
--
--  NOTICE:
--   This document contains information that is confidential and proprietary
--   to Mediatrix Telecom, Inc.
--
--   Mediatrix Telecom, Inc. reserves all rights to this document as well as
--   to the Intellectual Property of the document and the technology and
--   know-how that it includes and represents.
--
--   This publication cannot be reproduced, neither in whole nor in part, in
--   any form whatsoever without written prior approval by
--   Mediatrix Telecom, Inc.
--
--   Mediatrix Telecom, Inc. reserves the right to revise this publication
--   and make changes at any time and without the obligation to notify any
--   person and/or entity of such revisions and/or changes.
--
-- ****************************************************************************
-- ****************************************************************************
--
-- MX-FIREWALL-MIB.my
--
-- Root for the module used to configure the Firewall.
--
-- ****************************************************************************
-- **EDOC**********************************************************************

MX-FIREWALL-MIB
DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        Unsigned32,
        Integer32
    FROM SNMPv2-SMI
        MODULE-COMPLIANCE,
        OBJECT-GROUP
    FROM SNMPv2-CONF
        MxEnableState,
    FROM MX-TC
        mediatrixConfig
    FROM MX-SMI;

firewallMIB MODULE-IDENTITY
    LAST-UPDATED "200603060000Z"
    ORGANIZATION "Mediatrix Telecom, Inc."
    CONTACT-INFO "Mediatrix Telecom, Inc.
                  4229, Garlock Street
                  Sherbrooke (Quebec)
                  Canada
                  Phone: (819) 829-8749
                  "
    DESCRIPTION  "This MIB provides information to configure the firewall module.

                  This module is responsible to accept or drop packets intended for the unit
                  and the clients on the LAN.

                  The DROP action is done silently by default, without sending packets in answer.
                  Otherwise, the specific action will be documented."
    -- ************************************************************************
    -- Revision history
    -- ************************************************************************
    REVISION    "200603060000Z"
    DESCRIPTION "Modified the description of the firewallEnable variable."
    REVISION    "200504190000Z"
    DESCRIPTION "Creation"
    ::= { mediatrixConfig 450 }

firewallMIBObjects  OBJECT IDENTIFIER ::= { firewallMIB 1 }
firewallConformance OBJECT IDENTIFIER ::= { firewallMIB 2 }


    -- *************************************************************************
    -- Config variables
    -- *************************************************************************

    firewallEnable OBJECT-TYPE
        SYNTAX        MxEnableState
        MAX-ACCESS    read-write
        STATUS        current
        DESCRIPTION   "Enables/Disables the firewall.

                       enable  : The traffic is analyzed and filtered by all the rules configured in this module.

                                 All the enabled security rules in this module apply immediately.

                       disable : No security rule is activated.

                       Since the modification of this variable will be applied in real time, new settings can
                       affect the current network connections.

                       This variable's semantics are different depending on the hardware platform.
                       Please refer to the documentation shipped with your device for more
                       details.
                       "
        DEFVAL         { enable }
        ::= { firewallMIBObjects 10 }


    -- *************************************************************************
    -- Firewall Security variables
    -- *************************************************************************
    firewallSecurity OBJECT IDENTIFIER ::= { firewallMIBObjects 100 }


        firewallSecurityBadTcpPacketRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to drop the bad TCP packets from the WAN side.

                           When enabled, this variable configures rules that check incoming TCP packets
                           for malformed headers.  If a bad TCP packet is found, the firewall drops it silently.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 10 }


        firewallSecurityTcpSynCookiesRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to protect the unit against the common 'syn flood attack'.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 20 }


        firewallSecuritySourceRoutedPacketRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to drop source routed packets (packets with
                           SRR option) from the WAN side.

                           When enabled, this variable configures rules that drop all
                           packets with this option silently.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { disable }
            ::= { firewallSecurity 30 }


        firewallSecurityMulticastPacketRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to drop multicast packets from the WAN side.

                           When enabled, this variable configures rules that drop incoming WAN multicast
                           packets. If multicast packets are found, the firewall drops them silently.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 40 }


        firewallSecurityIdentRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to drop IDENT request packets from the WAN side.

                           When enabled, this variable configures rules that drop incoming IDENT request
                           packets and send back a TCP RST packet.  This behavior is required because
                           dropping silently on port 113 may cause connection problems.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 50 }


        firewallSecurityReversePathFilteringRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to filter packets by reverse path filtering.

                           When enabled, this variable configures rules that silently drop packets
                           received on one interface and answered on another interface. In this case,
                           the packet is bogus and the firewall drops it.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { disable }
            ::= { firewallSecurity 60 }


        firewallSecurityBlockWanEchoRequestRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to silently drop ICMP echo requests received from the WAN side.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { disable }
            ::= { firewallSecurity 70 }


        firewallSecurityBlockLanEchoRequestRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to silently drop ICMP echo requests received on
                           the LAN interface.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { disable }
            ::= { firewallSecurity 80 }


        firewallSecurityBlockWanEchoBroadcastRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to silently drop incoming WAN ICMP echo
                           requests sent to the broadcast address.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 90 }


        firewallSecurityBlockIcmpRedirectionInRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to silently drop the reception of ICMP redirect
                           messages from the WAN side.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 100 }


        firewallSecurityBlockIcmpRedirectionOutRule OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the behavior to block sending of ICMP redirect messages.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecurity 110 }



    -- *************************************************************************
    -- Spoof Security variables
    -- *************************************************************************
    firewallSecuritySpoof  OBJECT IDENTIFIER ::= { firewallSecurity 1000 }


        firewallSecuritySpoofEnable OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the security rules against IP addresses spoofing contained in the
                           table firewallSecuritySpoofTable.

                           These rules can prevent reception of packets from the WAN side according to
                           the source address of those packets.

                           This variable applies only if the variable firewallEnable is enabled.

                           Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                           "
            DEFVAL         { enable }
            ::= { firewallSecuritySpoof 10 }


        -- ************************************************************************
        -- Spoof table
        -- ************************************************************************

        firewallSecuritySpoofTable OBJECT-TYPE
            SYNTAX      SEQUENCE OF FirewallSecuritySpoofEntry
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "
                         A table that contains the static security rules against spoofing.  Each one of these
                         rules must be enabled by the variable firewallSecuritySpoofRuleEnable.

                         This table applies only if the variable firewallSecuritySpoofEnable is enabled and if the
                         variable firewallEnable is also enabled.

                         The user cannot add rules in this table.  The user can simply enable or disable the rules
                         present.
                         "
            ::= { firewallSecuritySpoof 100 }


            firewallSecuritySpoofEntry OBJECT-TYPE
                SYNTAX      FirewallSecuritySpoofEntry
                MAX-ACCESS  not-accessible
                STATUS      current
                DESCRIPTION "
                             A row in the firewallSecuritySpoofTable used to specify a spoofing rule.
                             An entry is enabled if the variable firewallEnable is enabled and if the
                             variable firewallSecuritySpoofRuleEnable of this row is also enabled.
                             "
                INDEX       {
                                firewallSecuritySpoofIndex
                            }
                ::= { firewallSecuritySpoofTable 5 }


                FirewallSecuritySpoofEntry ::= SEQUENCE
                {
                    firewallSecuritySpoofIndex          Unsigned32,
                    firewallSecuritySpoofLabel          OCTET STRING,
                    firewallSecuritySpoofAddress        OCTET STRING,
                    firewallSecuritySpoofRuleEnable     MxEnableState
                }


                firewallSecuritySpoofIndex OBJECT-TYPE
                    SYNTAX  Unsigned32 (1..255)
                    MAX-ACCESS  read-only
                    STATUS      current
                    DESCRIPTION "Anti-spoofing rule index for this row.
                                 "
                    ::= { firewallSecuritySpoofEntry 10 }


                firewallSecuritySpoofLabel OBJECT-TYPE
                    SYNTAX  OCTET STRING (SIZE(0..255))
                    MAX-ACCESS  read-only
                    STATUS      current
                    DESCRIPTION "Short description of the anti-spoofing rule.
                                 "
                    ::= { firewallSecuritySpoofEntry 20 }


                firewallSecuritySpoofAddress OBJECT-TYPE
                    SYNTAX  OCTET STRING (SIZE(0..255))
                    MAX-ACCESS  read-only
                    STATUS      current
                    DESCRIPTION "Source IP address and mask of the packets this rule must drop silently.
                                 "
                    ::= { firewallSecuritySpoofEntry 30 }


                firewallSecuritySpoofRuleEnable OBJECT-TYPE
                    SYNTAX        MxEnableState
                    MAX-ACCESS    read-write
                    STATUS        current
                    DESCRIPTION   "Indicates if the specific anti-spoofing rule of a row is used or not.

                                   This variable applies only if both the variable firewallEnable and this table
                                   are enabled.

                                   Since the modification of this variable will be applied in real time, new settings can
                           affect the current network connections.
                                   "
                    DEFVAL         { disable }
                    ::= { firewallSecuritySpoofEntry 40 }


    -- *************************************************************************
    -- Firewall Security variables
    -- *************************************************************************
    firewallSyslog OBJECT IDENTIFIER ::= { firewallMIBObjects 200 }

        firewallSyslogEnable OBJECT-TYPE
            SYNTAX        MxEnableState
            MAX-ACCESS    read-write
            STATUS        current
            DESCRIPTION   "Enables/Disables the syslog for the firewall notification messages.
                           "
            DEFVAL         { disable }
            ::= { firewallSyslog 10 }


    -- ************************************************************************
    -- Conformance information
    -- ************************************************************************

    firewallCompliances OBJECT IDENTIFIER ::= { firewallConformance 1 }

    firewallComplVer1 MODULE-COMPLIANCE
        STATUS      current
        DESCRIPTION
            "Minimal parameters definitions to support the firewall configuration."
        MODULE -- This Module
            MANDATORY-GROUPS {
                                 firewallGroupVer1,
                                 firewallSecurityGroupVer1,
                                 firewallSecuritySpoofGroupVer1,
                                 firewallSyslogGroupVer1
                             }
        ::= { firewallCompliances 1 }


    -- ************************************************************************
    -- MIB variable grouping
    -- ************************************************************************
    firewallGroups OBJECT IDENTIFIER ::= { firewallConformance 2 }

    firewallGroupVer1 OBJECT-GROUP
        OBJECTS {
                   firewallEnable
                }
        STATUS current
        DESCRIPTION
            "
             This group holds the minimal set of objects to enable the firewall basic services.
             "
        ::= { firewallGroups 1 }


    firewallSecurityGroupVer1 OBJECT-GROUP
        OBJECTS {
                    firewallSecurityBadTcpPacketRule,
                    firewallSecurityTcpSynCookiesRule,
                    firewallSecuritySourceRoutedPacketRule,
                    firewallSecurityMulticastPacketRule,
                    firewallSecurityIdentRule,
                    firewallSecurityReversePathFilteringRule,
                    firewallSecurityBlockWanEchoRequestRule,
                    firewallSecurityBlockLanEchoRequestRule,
                    firewallSecurityBlockWanEchoBroadcastRule,
                    firewallSecurityBlockIcmpRedirectionInRule,
                    firewallSecurityBlockIcmpRedirectionOutRule
                }
        STATUS current
        DESCRIPTION
            "
             This group holds the minimal set of objects that defines
             the firewall rules.
             "
        ::= { firewallGroups 2 }

    firewallSecuritySpoofGroupVer1 OBJECT-GROUP
        OBJECTS {
                    firewallSecuritySpoofEnable,
                    firewallSecuritySpoofLabel,
                    firewallSecuritySpoofAddress,
                    firewallSecuritySpoofRuleEnable
                }
        STATUS current
        DESCRIPTION
            "
             This group holds the minimal set of objects that defines the firewall rules against anti-spoofing.
             "
        ::= { firewallGroups 3 }


    firewallSyslogGroupVer1  OBJECT-GROUP
        OBJECTS {
                    firewallSyslogEnable
                }
        STATUS current
        DESCRIPTION
            "
             This group holds the minimal set of objects to enable the firewall syslog.
             "
        ::= { firewallGroups 4 }

END

